We will investigate legitimate reports and make every effort to quickly resolve any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you make a good faith effort to avoid causing harm to us, our users, and anyone else. This includes avoiding privacy violations, destruction of data, and interruption or degradation of services.
The following test types are excluded from the scope:
- flooding (e.g. denial of service attempts, unthrottled vulnerability scans)
- physical testing such as office access (e.g. open doors, tailgating)
- social engineering (e.g. phishing, vishing)
The following issue types are excluded from scope:
- Low severity issues, including:
- Issues that can be detected with tools such as Hardenize and Security Headers. We run regular scans with these services and try to improve our score gradually.
- Content injection issues.
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.). In order for CSRF to be a valid issue it must affect some important action such as deleting one’s account.
- Missing cookie flags on non-security-sensitive cookies.
- Disclosure of non-sensitive information. Our software is open source and we don't believe in security through obscurity.
- Stack traces containing only public information.
- Banner grabbing issues (figuring out what web server we use, etc.).
- Theoretical issues without an accompanying proof-of-concept demonstrating vulnerability, including:
- open ports
- out-of-date software
- Issues with no security implications (e.g. spelling mistakes), they should be reported publicly on GitHub.
- Issues in third-party services, they should be reported to the respective team.
We encourage hackers to read Web Hacking 101 and Breaking into Information Security: Learning the Ropes 101 to get a good idea of the type of issues that we are looking for.
We may modify the above guidelines at any time. Last update: January 18, 2018.
Hall of Fame
Thanks to the following researchers (most recent first) for having reported security issues to us via email:
Thanks to all hackers who have disclosed security issues to Gratipay on Hackerone, some of which also applied to Liberapay.
Thanks to the following people (most recent first) for having alerted Gratipay about security issues through other means:
- Sergey Bobrov — https://github.com/gratipay/security-flh0cu/issues/1
- BALAJI P R — https://github.com/gratipay/security-2a443f/issues/1
- BALAJI P R — https://github.com/gratipay/security-f4b75c/issues/1
- benhc123 — https://github.com/gratipay/gratipay.com/issues/2978
- Drew Callahan — https://github.com/gratipay/security-00001/issues/1
- Nitin Goplani — https://github.com/gratipay/gratipay.com/issues/2235
- danishtariq — https://github.com/gratipay/gratipay.com/issues/1536
- kudu adamziaja — https://github.com/gratipay/gratipay.com/issues/1460
- @Brkay_Aydin — https://twitter.com/Brkay_Aydin/status/377611459942817792
- greggles — https://github.com/gratipay/gratipay.com/commit/addbbda0eab0efa2d45272c99e689f7
- @kamilsevi — https://github.com/gratipay/gratipay.com/issues/1042
- dstufft — https://twitter.com/dstufft/status/319607503061131266
- wilkie & buttscicles — https://github.com/gratipay/gratipay.com/issues/722
- d0ugal, jacobian & spookylukey — https://github.com/gratipay/gratipay.com/issues/88